Intelligence
highMalwareResolved

Google-led disruption of NetNut botnet exposes massive Android proxy abuse infrastructure

Google and partners have disrupted NetNut, a residential proxy network exploiting approximately 2 million compromised Android devices, IoT boxes, and smart TVs. The takedown removes a significant infrastructure-as-a-service operation that enabled credential stuffing, ad fraud, and content scraping at scale.

S
Sebastion

Affected

Android devicesSmart TVsStreaming boxesIoT devices

NetNut operated as a residential proxy service that monetised access to millions of compromised consumer devices without owner consent. The service sold proxy capacity to attackers conducting account takeover attacks, web scraping, ad fraud, and geo-restricted content bypass. Unlike datacenter proxies that are easily blacklisted, residential IPs originating from real consumer devices are significantly harder to filter, making such botnets attractive to threat actors.

The affected device ecosystem spans Android smartphones, smart TVs, and streaming boxes, suggesting broad distribution via app stores, firmware updates, or pre-installation arrangements. The 2 million figure represents only active devices at time of disruption; the total infected base may have been considerably larger. Device owners remained entirely unaware their connections were being weaponised for third-party attacks.

Google's involvement indicates the takedown likely involved BGP/DNS hijacking, hosting provider cooperation, or direct sinkholing of command-and-control infrastructure. This coordinated approach is becoming standard for major botnets but requires significant technical and legal coordination across multiple jurisdictions and providers.

The incident underscores a critical gap in Android security: the ability for applications to proxy traffic and persist across device reboots without meaningful user notification or consent mechanisms. While sandboxing has improved, privilege escalation or pre-installation paths remain viable for large-scale botnet operations. Defenders should audit Android and IoT device network behaviour for unexpected proxy configuration, monitor for devices exhibiting abnormal outbound connection patterns, and ensure DNS filtering blocks known proxy service domains.

The disruption is significant but likely temporary. Operators of botnet-as-a-service infrastructure typically maintain backup infrastructure, and residential proxy demand remains high. Similar services have re-emerged under different branding within months of takedowns.